Multiple Form Submissions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Multiple Form Submissions

Post by timWebUK »

Hi,

I've been looking into spam prevention on forms to prevent multiple requests being made to the form... captchas, throttling, banning IPs etc.

However, I don't understand how they can make so many requests at once to a form and populate it? Obviously they don't use AJAX as that doesn't work across different domains, my field names aren't populated via $_GET. Just an understanding would be helpful if someone could let me know.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Multiple Form Submissions

Post by flying_circus »

Hey Tim,

Can you tell us more about what safegaurds are already in place in your forms? Are you sure the requests received are actually coming directly from your form and are not forged?

This is something I'm interested in as well :)
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Multiple Form Submissions

Post by timWebUK »

Well it was a completely hypothetical question, I'm not getting any problems. I was more interested in how they actually do it, I mean, I know there is Javascript injection that can be used to populate a form, but how can this be automated and called many times when AJAX just doesn't work cross domains unless specified? :?:

In answer to your question, what I have on my forms is an anti-CSRF token currently generated upon form loading, also a HTTP Referer check (I know this is easily forged, but another layer is always good... going by 'defense in depth' I read in a book by Chris Shiflett.) Currently I have a 6 character captcha as well generated from a substr of an MD5 hash of a random number - this is there on every form submittal but I'm going to look into causing it to appear after several form submittals from the same IP.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Multiple Form Submissions

Post by kaisellgren »

timWebUK wrote:I don't understand how they can make so many requests at once to a form and populate it?
Opening sockets to your server and sending POST requests. Crackers do not necessarily use the web browser to send requests.
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Multiple Form Submissions

Post by timWebUK »

Ah thanks, I was unfamiliar with sockets. I'll have a look into them! Seems quite interesting stuff.
Post Reply